// getSecurityRules creates network security group rules based on driver
// configuration such as SSH port, docker port and swarm port.
func (d *Driver) getSecurityRules(extraPorts []string) (*[]network.SecurityRule, error) {
mkRule := func(priority int, name, description, srcPort, dstPort string, proto network.SecurityRuleProtocol) network.SecurityRule {
return network.SecurityRule{
Name: to.StringPtr(name),
Properties: &network.SecurityRulePropertiesFormat{
Description: to.StringPtr(description),
SourceAddressPrefix: to.StringPtr("*"),
DestinationAddressPrefix: to.StringPtr("*"),
SourcePortRange: to.StringPtr(srcPort),
DestinationPortRange: to.StringPtr(dstPort),
Access: network.Allow,
Direction: network.Inbound,
Protocol: proto,
Priority: to.Int32Ptr(int32(priority)),
},
}
}
log.Debugf("Docker port is configured as %d", d.DockerPort)
// Base ports to be opened for any machine
rl := []network.SecurityRule{
mkRule(100, "SSHAllowAny", "Allow ssh from public Internet", "*", fmt.Sprintf("%d", d.BaseDriver.SSHPort), network.TCP),
mkRule(300, "DockerAllowAny", "Allow docker engine access (TLS-protected)", "*", fmt.Sprintf("%d", d.DockerPort), network.TCP),
}
// Open swarm port if configured
if d.BaseDriver.SwarmMaster {
swarmHost := d.BaseDriver.SwarmHost
log.Debugf("Swarm host is configured as %q", swarmHost)
u, err := url.Parse(swarmHost)
if err != nil {
return nil, fmt.Errorf("Cannot parse URL %q: %v", swarmHost, err)
}
_, swarmPort, err := net.SplitHostPort(u.Host)
if err != nil {
return nil, fmt.Errorf("Could not parse swarm port in %q: %v", u.Host, err)
}
rl = append(rl, mkRule(500, "DockerSwarmAllowAny", "Allow swarm manager access (TLS-protected)", "*", swarmPort, network.TCP))
} else {
log.Debug("Swarm host is not configured.")
}
// extra port numbers requested by user
basePri := 1000
for i, p := range extraPorts {
port, protocol := driverutil.SplitPortProto(p)
proto, err := parseSecurityRuleProtocol(protocol)
if err != nil {
return nil, fmt.Errorf("cannot parse security rule protocol: %v", err)
}
log.Debugf("User-requested port to be opened on NSG: %v/%s", port, proto)
r := mkRule(basePri+i, fmt.Sprintf("Port%s%sAllowAny", port, proto), "User requested port to be accessible from Internet via docker-machine", "*", port, proto)
rl = append(rl, r)
}
log.Debugf("Total NSG rules: %d", len(rl))
return &rl, nil
}
func (d *Driver) configureSecurityGroupPermissions(group *ec2.SecurityGroup) ([]*ec2.IpPermission, error) {
hasSshPort := false
hasDockerPort := false
hasSwarmPort := false
for _, p := range group.IpPermissions {
if p.FromPort != nil {
switch *p.FromPort {
case 22:
hasSshPort = true
case int64(dockerPort):
hasDockerPort = true
case int64(swarmPort):
hasSwarmPort = true
}
}
}
perms := []*ec2.IpPermission{}
if !hasSshPort {
perms = append(perms, &ec2.IpPermission{
IpProtocol: aws.String("tcp"),
FromPort: aws.Int64(22),
ToPort: aws.Int64(22),
IpRanges: []*ec2.IpRange{{CidrIp: aws.String(ipRange)}},
})
}
if !hasDockerPort {
perms = append(perms, &ec2.IpPermission{
IpProtocol: aws.String("tcp"),
FromPort: aws.Int64(int64(dockerPort)),
ToPort: aws.Int64(int64(dockerPort)),
IpRanges: []*ec2.IpRange{{CidrIp: aws.String(ipRange)}},
})
}
if !hasSwarmPort && d.SwarmMaster {
perms = append(perms, &ec2.IpPermission{
IpProtocol: aws.String("tcp"),
FromPort: aws.Int64(int64(swarmPort)),
ToPort: aws.Int64(int64(swarmPort)),
IpRanges: []*ec2.IpRange{{CidrIp: aws.String(ipRange)}},
})
}
for _, p := range d.OpenPorts {
port, protocol := driverutil.SplitPortProto(p)
portNum, err := strconv.ParseInt(port, 10, 0)
if err != nil {
return nil, fmt.Errorf("invalid port number %s: %s", port, err)
}
perms = append(perms, &ec2.IpPermission{
IpProtocol: aws.String(protocol),
FromPort: aws.Int64(portNum),
ToPort: aws.Int64(portNum),
IpRanges: []*ec2.IpRange{{CidrIp: aws.String(ipRange)}},
})
}
log.Debugf("configuring security group authorization for %s", ipRange)
return perms, nil
}